Thumbs Up

Experts Say iPhone 5S Fingerprint Security Feature Can Be Hacked

Got a piece of tape? Apple’s new authentication innovation could be cracked—and create a nightmare for users. Winston Ross explains.

Ask anyone who’s ever lived with a jealous boyfriend or girlfriend: If someone wants to get into your phone, they will find a way to get into your phone.

That said, it’s worth considering in the wake of Apple’s announcement this week that the next generation of (high-end) iPhones will come with a fingerprint sensor: is that two tech steps forward, or two steps back, if you’re trying to keep your Snapchats from prying eyes?

Turns out, it’s kind of standing still. While fingerprint sensors might seem like a nifty way to shorten the steps to your next brilliant tweet and keep your buddy from punking your Facebook with a fake status update, they’re more likely to create a false sense of security, thanks to statements like this, from Apple Senior Vice President Dan Riccio, in the introductory video for the new iPhone 5s:

“Your fingerprint is one of the best passwords in the world. It’s always with you, and no two are exactly alike.”

Riccio is half-right. Your fingerprint is always with you, and no two are exactly alike. But that doesn’t make it one of the best passwords in the world. That actually makes it a potentially lousy password, says Gene Meltser, technical director for Chicago-based security firm Neohapsis Labs, because there’s nothing you can do to change it, to keep the cyberthugs guessing.

Any goober can stick a piece of tape on a greasy thumb depression left on a soda can, peel it off, scan it into a computer, and figure out a way to trick a fingerprint sensor.

“All we have are 10 fingers,” Meltser told The Daily Beast. “That means we can only authenticate successfully 10 times. Once that data is compromised, we are for the rest of our lives unable to authenticate.”

We leave fingerprints everywhere, every day, all day long. Any goober can stick a piece of tape on a greasy thumb depression left on a soda can, peel it off, scan it into a computer, and figure out a way to trick a fingerprint sensor into letting him inside.

Passwords, on the other hand, are stored (or should be stored) only inside the brain. You don’t walk around all day slapping your PIN code on toilet seats and door handles. And even if you did do that, or you figured out someone had peeped over your shoulder and swiped your password, you could change it, and you’re back in Secureville. If someone grabs your fingerprint, and that’s what you use to get into your phone, they’ll always have it. And unless you find some sweet 007 technique for burning your fingertips off and creating a whole new set, you will not be able to do anything to set a “new” password.

“If somebody fakes your fingerprint” and then uses that to make a bunch of fraudulent purchases, “you’d have a very hard time proving that person was not you,” Jennifer Lynch, staff attorney at the Electronic Freedom Foundation. “It’s your fingerprint.”

But wait! Apple says its fingerprint sensors will be activated only by the tips of the fingers/thumb, which is not quite the same pattern as those left on street lamps and steering wheels. Anyone who uses Apple’s Touch ID sensor (that’s the official name) will have to create a backup passcode on the phone that will be necessary any time the device has been rebooted or hasn’t been unlocked for two days. So maybe that resolves the security problem.

Maybe. But the only truly secure authentication, Meltser says, is a three-legged stool: something you are, something you carry, and something you know. So a fingerprint is something you are, and a password is something you know. But because both of those can be stolen, only the addition of that third thing—something you carry—can truly keep your Instagram safe.

Something you carry could be something like a “cryptographic RSA token,” a physical dongle that you carry around to authenticate things with, and of course there are very few people aside from corporate spies and very determined cheating spouses who would go to all those steps. But the takeaway is the takeaway: fingerprint sensors don’t make anything more secure. Unless you’re one of those people: “A lot of iPhone users aren’t using a passcode to lock their phone at all,” said the EFF’s Lynch.

But what about that new M7 chip, also available on the iPhone 5s? The one that aggregates data from the phone’s accelerometer and GPS to use with health and fitness apps, to allow people to record their every jaunt from couch to bathroom? Doesn’t that make us easier to track?

No, sorry. The phone was already recording all that information, Lynch says. So if it’s going to wind up in an NSA metadata sweep, it’s going to wind up in an NSA metadata sweep. Now it’ll just be easier for you to play with it.

Speaking of the NSA, what about all those fingerprints being uploaded to some kind of fingerprint database and then getting hacked and forever compromised and used to break into our bank accounts and post bad status updates on our behalves?

All fair things to be worried about, but not with this pioneering generation of mobile fingerprint scanners. The print will be stored only in the phone itself, not uploaded to cloud-computing systems, says Apple, and even that storage will be an encrypted file.

Let’s all just remember then what the fingerprint sensor is and what it isn’t. It isn’t more secure, unless you’re pairing it with a password. It is more convenient, which to those of us not buying drugs on Silk Road or philandering with our teaching assistants is probably all we care about anyway.